On 2/5/07, <b class="gmail_sendername">Steven Milburn</b> <<a href="mailto:steven.milburn@gmail.com">steven.milburn@gmail.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<span class="q"><div><br></div></span>Newer fingerprint reader technologies actually account for this pretty well. A detached finger is seen as a spoof attempt, if it even images properly at all. Your information on these sensors, like most people, is outdated. And I don't think that's really an accident.
</blockquote><div><br>Yes, there are newer sensors that are more effective at detecting such spoofs, but that doesn't make the problem worth trivializing. It wasn't that long ago (think less than five years) that many COTS fingerprint sensors were shown to be vulnerable to "fake finger" attacks. These systems used "live finger detection" schemes such as capacitance sensors and temperature sensors and were handily defeated by imprinted gummy bears moistened by a bit of saliva and held in the attackers hand for a few seconds. Yes, I said gummy bears. The point is that it would be irresponsible to assume that some random COTS sensor is using the most current technology in their products. The fingerprint skeptics' information is probably less outdated than the sensors some of these companies are using.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">But, let me humor you for a moment. If I'm willing to cut off your finger to get into your mobile device, why wouldn't I be willing to put a gun to your head and/or torture you until you give me your password?
</blockquote><div><br>You are absolutely right. That being said, I'd be more worried about a guy with access to my latents, a PCB printer, and some Sour Patch Kids. ;) (See <a href="http://www.schneier.com/crypto-gram-0205.html#5">
http://www.schneier.com/crypto-gram-0205.html#5</a>)<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><span class="q"><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
1) full hardware docs (may be under NDA, but allowing GPL software<br> development)
<br>2) small enough for a mobile device<br>3) cheap enough<br>4) not easy to fool<br></blockquote><br></span>The sensor Mark's talking about definitely fulfills the last three. </blockquote><div><br>Which sensor was he talking about? I didn't catch it.
<br><br>At any rate, a good resource for comparing fingerprint sensors and algorithms is the NIST Image Group's fingerprint lab.<br><br><div style="text-align: center;"><a href="http://fingerprint.nist.gov">http://fingerprint.nist.gov
</a><br></div><br>Sure, the algorithms are guarded, but looking at some of these tests is a pretty decent way of separating the wheat from the chaff. To put this in perspective, the United States government (including the Department of Homeland Security and all other civilian departments and agencies) use these tests to make their equipment requisitions.
<br><br>Disclaimer: I used to consult to NIST and I contributed to a FIPS and a Special Publication on material related to this domain.<br><br>Cheers,<br>Pius<br></div></div><br>